CLAIMS 

What is claimed is: 



1 1 . A method for controlling access to a resource, the method comprising the steps of: 

2 creating and storing in the Operating System filesystem a file that represents the 

3 resource; 

4 receiving user-identifying information from a user requesting access to the resource, 

5 wherein the user-identifying information comprises a role associated with the 

6 user, wherein the role is determined from a user identifier uniquely associated 

7 with the user and from a group identifier associated with a group that includes 

8 the user; 

9 receiving a resource identifier associated with the resource; 

10 creating an access identifier based on the user-identifying information and the 

1 1 resource identifier, wherein the access identifier is formatted as a file attribute 

12 that is used by the Operating System to manage file access; 

13 calling the Operating System to perform an operation on the file using the access 

14 identifier to gain access to the file; and 

15 granting the user access to the resource only if the Operating System call successfully 

16 performs the operation. 

12. A method as recited in Claim 1, wherein the access identifier comprises: 

2 a first set of bits for storing a role identifier, wherein the role identifier is associated 

3 with the role; and 

4 a second set of bits for storing the resource identifier. 

13. A method as recited in Claim 1, wherein: 

2 the step of creating an access identifier based on the user-identifying information and 

3 the resource identifier comprises formatting the access identifier as a group 

4 identifier file attribute; and 

5 the step of calling the Operating System to perform an operation on the file 

6 representing the resource comprises: 

7 assigning the access identifier to a group identifier attribute of an 

8 Operating System process; and 
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9 calling an Operating System routine from the Operating System 

10 process to perform the operation on the file representing the 

1 1 resource. 

14. A method as recited in Claim 1, wherein the step of calling the Operating System to 

2 perform an operation on the file representing the resource comprises comparing the 

3 access identifier to an identifier included in an Access Control List file attribute 

4 associated with the file representing the resource, wherein the Access Control List file 

5 attribute includes the identifiers of all users and all groups of users allowed to access 

6 the file representing the resource. 

15. A method as recited in Claim 1, wherein the operation on the file representing the 

2 resource is selected from a group consisting of opening the file, closing the file, 

3 deleting the file, reading from the file, writing to the file, executing the file, 

4 appending to the file, reading a file attribute, and writing a file attribute. 

16. A method as recited in Claim 1, the method further comprising the steps of: 

2 reading a permission bit associated with the file representing the resource, wherein 

3 the permission bit corresponds to a file operation performable on the file 

4 representing the resource; 

5 based on the file operation indicated by the permission bit, determining a resource 

6 operation that is performable on the resource; and 

7 granting the user the privilege of performing the resource operation on the resource 

8 only if the permission bit allows the file operation to be performed on the file 

9 representing the resource. 

17. A method as recited in Claim 1, the method further comprising the steps of: 

2 opening the file representing the resource; 

3 reading from the file representing the resource a permission indicator associated with 

4 a resource operation; and 

5 enabling the user to perform the resource operation on the resource only if the 

6 permission indicator indicates that the user is allowed to perform the resource 

7 operation on the resource. 
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18. A method as recited in Claim 1, wherein the step of representing the resource by a file 

2 stored in the Operating System filesystem comprises: 

3 creating the file representing the resource in the Operating System filesystem; and 

4 assigning an access value to a file attribute of the file representing the resource, the 

5 file attribute being used by the Operating System to manage file access, 

6 wherein the access value corresponds to a combination of a role and a 

7 resource. 

1 9. A method as recited in Claim 8, wherein the file attribute used by the Operating 

2 System to manage file access is a group identifier file attribute. 

1 10. A method for controlling access to a resource, the method comprising the steps of: 

2 receiving a user identifier from a user requesting access to the resource, wherein the 

3 user identifier is uniquely associated with the user; 

4 receiving a group identifier associated with a group to which the user belongs; 

5 based on the user identifier and the group identifier, determining a role associated 

6 with the user, wherein a role identifier is uniquely associated with the role; 

7 receiving a resource identifier associated with the resource, wherein the resource is 

8 represented by a file stored in the Operating System filesystem; 

9 constructing an access identifier on the basis of the role identifier and the resource 

10 identifier, wherein the access identifier conforms to the format of a group 

1 1 identifier file attribute that is used by the Operating System to manage file 

12 access; 

13 making an Operating System call to perform an operation on the file representing the 

14 resource, wherein the Operating System call uses the access identifier to gain 

15 access to the file representing the resource; and 

16 granting the user access to the resource only if the Operating System call successfully 

17 performs the operation on the file representing the resource. 

1 11. A method as recited in Claim 10, wherein the access identifier comprises: 

2 a first set of bits for storing the role identifier, wherein the role identifier represents a 

3 bitmap, each bit of the bitmap uniquely associated with a role of the user; and 

4 a second set of bits for storing the resource identifier. 
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1 12. A method as recited in Claim 10, wherein the step of making an Operating System 

2 call to perform an operation on the file representing the resource comprises: 

3 storing the group identifier value of a group identifier attribute of an Operating 

4 System process; 

5 assigning the access identifier to the group identifier attribute of the Operating 

6 System process; 

7 calling an Operating System routine from the Operating System process to perform 

8 the operation on the file representing the resource, wherein the operation on 

9 the file representing the resource is performed only if the value of the group 

10 identifier attribute of the Operating System process matches the value of the 

1 1 group identifier file attribute of the file representing the resource; and 

12 resetting the group identifier attribute of the Operating System process to the stored 

1 3 group identifier value. 

1 13. A method as recited in Claim 10, wherein the step of making an Operating System 

2 call to perform an operation on the file representing the resource comprises 

3 comparing the access identifier to an identifier included in an Access Control List file 

4 attribute associated with the file representing the resource, wherein the Access 

5 Control List file attribute includes the identifiers of all users and all groups of users 

6 allowed to access the file representing the resource. 

1 14. A method as recited in Claim 10, wherein the operation on the file representing the 

2 resource is selected from a group consisting of opening the file, closing the file, 

3 deleting the file, reading from the file, writing to the file, executing the file, 

4 appending to the file, reading a file attribute, and writing a file attribute. 

1 15. A method as recited in Claim 10, the method further comprising the steps of: 

2 reading a permission bit associated with the file representing the resource, wherein 

3 the permission bit corresponds to a file operation performable on the file 

4 representing the resource; 

5 based on the file operation indicated by the permission bit, determining a resource 

6 operation that is performable on the resource; and 
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7 granting the user the privilege of performing the resource operation on the resource 

8 only if the permission bit allows the file operation to be performed on the file 

9 representing the resource. 

1 16. A method as recited in Claim 10, the method further comprising the steps of: 

2 opening the file representing the resource; 

3 reading from the file representing the resource a permission indicator associated with 

4 a resource operation; and 

5 granting the user the privilege of performing the resource operation on the resource 

6 only if the permission indicator indicates that the user is allowed to perform 

7 the resource operation on the resource. 

1 17. A method as recited in Claim 10, the method further comprising: 

2 creating the file representing the resource in the Operating System filesystem; and 

3 assigning an access value to a group identifier file attribute of the file representing the 

4 resource, the group identifier file attribute being used by the Operating System 

5 to manage file access, wherein the access value is uniquely determined by the 

6 combination of a role and a resource. 

1 18. A system for controlling access to a resource connected to a network, the system 

2 comprising: 

3 a client host capable of accessing the resource in response to a request for access from 

4 a user; 

5 one or more processors executing an Operating System, wherein the Operating 

6 System operatively controls a filesystem that includes a number of files; and 

7 a computer readable medium having stored therein an Application Programming 

8 Interface, wherein the Application Programming Interface is logically 

9 interposed between the client host and the Operating System and comprises 

10 one or more routines including routines which, when executed by the one or 

1 1 more processors, cause the one or more processors to perform the steps of: 

12 creating and storing in the filesystem a file that represents the resource; 

13 receiving user-identifying information from the user requesting access to the 

14 resource, wherein the user-identifying information comprises a role 
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15 associated with the user, wherein the role is determined from a user 

16 identifier uniquely associated with the user and from a group identifier 

17 associated with a group that includes the user; 

18 receiving a resource identifier associated with the resource; 

19 creating an access identifier based on the user-identifying information and the 

20 resource identifier, wherein the access identifier is formatted as a file 

21 attribute that is used by the Operating System to manage file access; 

22 calling the Operating System to perform an operation on the file using the 

23 access identifier to gain access to the file; and 

24 granting the user access to the resource only if the Operating System call 

25 successfully performs the operation. 

1 19. A system as recited in Claim 18, wherein the access identifier comprises: 

2 a first set of bits for storing a role identifier, wherein the role identifier is associated 

3 with the role; and 

4 a second set of bits for storing the resource identifier. 

1 20. A system as recited in Claim 18, wherein: 

2 the step of creating an access identifier based on the user-identifying information and 

3 the resource identifier comprises formatting the access identifier as a group 

4 identifier file attribute; and 

5 the step of calling the Operating System to perform an operation on the file 

6 representing the resource comprises: 

7 assigning the access identifier to a group identifier attribute of an 

8 Operating System process; and 

9 calling an Operating System routine from the Operating System 

10 process to perform the operation on the file representing the 

11 resource. 

1 21 . A system as recited in Claim 18, wherein the operation on the file representing the 

2 resource is selected from a group consisting of opening the file, closing the file, 

3 deleting the file, reading from the file, writing to the file, executing the file, 

4 appending to the file, reading a file attribute, and writing a file attribute. 
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22. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 1 . 



1 



23. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 2. 



1 



24. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 3. 



1 25. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 4. 



1 26. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 5. 



1 27. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 6. 



1 28. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 7. 



1 29. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 8. 



1 30. 



A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 9. 
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1 31. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 10. 

1 32. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 11. 

1 33. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 12. 

1 34. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the rtiethod recited in Claim 13. 

1 35. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 14. 

1 36. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 15. 

1 37. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 16. 

1 38. A computer-readable medium carrying one or more sequences of instructions which, 

2 when executed by one or more processors, causes the one or more processors to 

3 perform the method recited in Claim 17. 



-35- 

50325-0805 (Seq. No. 7841) 



